This post will be on the topic of exploitable testing platforms for learning how to conduct a penetration test. I will take you through a few programs I have used and give a bit of information about each and explain how they will help you increase your penetration testing skills.
Before you get started
There are, however, a few recommended pieces of software to get acquainted with before we get started. These include virtual environments and hacking tools. Below is a list of widely used software that penetration testers often use:
Virtual machine environment
below are two of the most prevalent platforms
- VirtualBox - Free and commonly used, however Oracle have stopped the development of this software so there will be no more updates and it’s not as advanced as it could be. It still serves its purpose fantastically and is highly commended.
- VMWare Workstation - For the latest version, at the time of posting this, a registration key costs ~£180. If you are student, you may be able to get it for free depending on your Universities policies. You can also get the slightly more cut down version called VMware Player which is similar to VirtualBox (either of the aformentioned hosting platforms will work fine for your penetration testing needs)
- Hyper-V - Microsoft Hyper-V is free, which is always a plus. It works seamlessly with Windows and “most” Linux distros (although there is some tinkering required to get Kali to display correctly) and, while not having some of the bells and whistles of the others, Hyper-V does support the most common functionality you would need on a Penetration Test.
As a side note, make sure all virtual machines are on an internal subnet. Some networking experience may be required to be sure of this, but there are plenty of tutorials online to help you out. If possible, disconnect your hack lab from the internet so there is no chance of accidently running scans/exploits on external machines. This could lead to potential infringements of computer misuse laws which can easily be avoided if you use a little common sense; only hack your own machines
Operating System for Hacking
- Kali Linux - Security penetration testing distribution of Linux with hacking tools. A few of the tools that will more than likely be used in conjunction with the vulnerable software in this blog include:
There is an absolute wealth of information on the topics covered in this post on Google. If you ever get stuck, there will always be a walk-through and/or YouTube video to help you out. It’s recommended that walk-through’s are a last resort as half the fun is trying to figure it out for yourself.
And now, without further ado, let’s get into a few reviews of various purposefully vulnerable applications.
First up is WebGoat. This was one of the first Vulnerable Web Apps I practiced on and I have to say it is a great introduction to the world of penetration testing. It’s easy to set up and starts you off with the basics and walks you through loads of different attack vectors. These include: Access Control Flaws, SQL Injections, Cross-Site Scripting (XXS) and much much more. Once all the tutorials have been completed there is a final challenge that brings together everything you have learned. There are also hints and tips built into WebGoat to subtlety nudge you in the right direction in case you get stuck.
The downside to WebGoat is that even though it walks you through a wide range of techniques and attacks, none of them ever seem applicable at the time. The demonstrations seem very staged. I would take everything you learn on this with a pinch of salt and use it as an awareness tool that opens your eyes to the possibilities.
Next we have Damn Vulnerable Web Application (DVWA). This takes the concept of WebGoat slightly further by having multiple settings to change the level of security on the web app. This means that if you are new to hacking, you can set the level to easy and it shouldn’t be too hard to complete the challenges. However, if you are experienced you can ramp it up a notch and set the level to difficult and enjoy pulling your hair our as you try to gain access to the system.
The diversity of the attacks are not quite as broad as WebGoat, but each attack has a more realistic feel and actually makes you think as though you are hacking a web application. There is also a fair amount of help online for this one, but it’s probably best that you have at least some experience with penetration testing before you tackle this one. Even setting it up is slightly more complex as you have to create a server in a virtual machine by installing the DVWA .iso which might by slightly challenging to the absolute beginner.
Damn Vulnerable Linux (DVL) is a great broken operating system that’s enjoyable to practice on. It’s based off the Linux distribution Damn Small Linux and has a load of out dated and broken software and services that can be set up and run just with a couple of clicks. This style of penetration testing can resemble a vast amount of scenarios as some of the services installed range from SSH, MySQL, Apache and much more. It also comes with programs that can be used offline such as Buffer Overflow attacks and other memory/stack manipulation challenges.
The only downsides to this distribution are that there isn’t too much documented about it and it seems hard to find a decent copy of it online. I only managed to get it from a CD that a lecture at University lent me. I’m also still yet to find an active community of people discussing its applications. If you do decided to have a go with this one, be prepared to spend a fair amount of time teaching yourself and playing about with all it has to offer. In the end though, you’ll walk away with a smug look on your face and a lot of experience under your belt.
Metasploitable is an amazing application to practice on. It focuses more on the networking side of penetration testing and has a multitude of services and exploits to explore. The absolute beginner might be slightly overwhelmed but there is always something new to be learned with this one. Metasploit is well documented and there are even books to help if you really want to get stuck in. I would say this is one of the more realistic hacking practice grounds and it’s a great environment to use from intermediate all the way to advanced where you can actually compile your own exploits.
There is however not too much on this one in terms of web applications so it should be used more as a general training ground that covers a vast amount of services. Things to look into with this are automated scanning tools such as Nessus and nmap as well as exploitation frameworks such as Metasploit.
If you have completed all of these challenges and feel you still want to practice your hacking skills on more vulnerable applications but are unsure of where to go now. Fear not fellow white hat. If you follow this link you will be taken to the Open Web Application Security Project (OWASP) page with a list of lots more vulnerable applications to practice on. Enjoy.